Now, I don't think there is any need to introduce the in-numerous risks and responsibilities that come with a password but there also have been equal number of ways to ensure the protection of the password. Now, Google is doing its bit by developing a Strong Password Generator to fix the issue of password theft. Google's long term plan is Browser log-in plus OpenID to secure password but as OpenID hasn't hit most sites yet, Google will be implementing the Browser control authentication it can afford now.
Though Browser Sync and Password Manager have been around for a while now, they still let users know their password, which might make them vulnerable to attacks like phishing. Google's solution is to make users devoid of their passwords completely. To accomplish this, Chrome needs to know when a user is on a page that is meant for account sign-up. This is achieved via heuristics (i.e. there is an account name field and two password fields).
After determining that it is a sign-up page, Chrome adds a small UI element to the password field. User can choose to click on the element which would pop a small dialogue box as a result. The box would have the random password generated by Chrome which it thinks would be suitable for them. Most sites have conditions when it comes to filling in password boxes, (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters), so users might need to change the password generated if it doesn't fit the site's requirements. After the prompt is accepted, both the password fields are populated by Chrome.
There are a number of shortcomings which are still under work such as the situation where signup field has autocomplete = false. Also, Chrome needs to differentiate between updating password and sign-up page though both pages will use approximately the same heuristics. In case of an update, the Chrome browser would either refill the old password or user can click on the UI element and follow the procedure described above.
Because Chrome manages the passwords, users are unaware of it but there are cases of exceptions where user would need to know the password, for example, when using a different browser. In such a scenario, Google will provide a site similar to Valentine where users can sign in and view (and possibly export?) their passwords. This information would be secured behind a Captcha and users might also be prompted to enroll in StrongAuth when they first start using this feature.
Many would worry that this would shift all password theft attacks at Google but Google believes that it's easier to make logging into Google more secure via StrongAuth than doing so for every other site. Anyhow, Google mentions the possibility of automatically changing all the users if and when their account is hijacked.
Source & Image Credit: Chromium Blog
Hunt for India's Best Academic Project (Applications Open)
Mega project competition for all THIRD and FINAL year engineering students in India. Prizes worth Rs. 80,000+ are ready to be won!
Deadline [Extended]: March 10, 2015. (Won't be extended further)